[Python-Dev] Releases for recent security vulnerability

Jesse Noller jnoller at gmail.com
Sun Apr 17 16:00:00 CEST 2011 

On Sun, Apr 17, 2011 at 9:42 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Le dimanche 17 avril 2011 à 09:30 -0400, Jesse Noller a écrit :
>> >
>> > If we want to make official announcements (like releases or security
>> > warnings), I don't think the blog is appropriate. A separate
>> > announcement channel (mailing-list or newsgroup) would be better, where
>> > people can subscribe knowing they will only get a couple of e-mails a
>> > year.
>> >
>> > Regards
>> >
>> > Antoine.
>>
>> And whose responsibility is it to email yet another mythical list? The
>> person posting the fix? The person who found and filed the CVE? The
>> release manager?
>
> Well, whose responsibility is it to make blog posts about security
> issues? If you can answer this question then the other question
> shouldn't be any more difficult to answer ;)
>
> I don't think the people who may be interested in security announcements
> want to monitor a generic development blog, since Python is far from the
> only piece of software they rely on. /I/ certainly wouldn't want to.
>
> Also, I think Gustavo's whole point is that if we don't have a
> well-defined, deterministic procedure for security announcements and
> releases, then it's just as though we didn't care about security at all.
> Saying "look, we mentioned this one on our development blog" isn't
> really reassuring for the target group of people.
>
> Regards
>
> Antoine.

I'm not arguing against us having a well defined, deterministic
procedure! We need one, for sure - I'm just defending Brian's actions
as perfectly rational and reasonable. Without his post, that CVE would
have been published, publicly available on other sites (CVE tracking
sites, and hence on the radar for people looking to exploit it), and
no one would be the wiser.

At least it got *some* attention this way. Is it the right thing to do
moving forward? Probably not - but do we have the people/person
willing to head up defining the policy and procedure, and do we have
the needed contacts in the OS vendors/3rd party distributors to notify
them rapidly in the case of fixing something like this?

A lag of several weeks from fixing a security issue to a source level
release from us that OS vendors can run with is too slow honestly.

jesse

More information about the Python-Dev mailing list